Almost four million Quidd users have credentials exposed

The credentials of almost four million users of the collectible-trading website Quidd have been discovered on a deep-web hacking forum, according to Risk Based Security (RBS).

A threat actor going by the name ‘ProTag’ originally posted the compromised data on March 12 this year, after which they were removed.

They were reposted by a different user, however, on March 29. Another threat actor responded to this post stating they had decrypted nearly a million password hashes, says RBS.

A RBS researcher confirmed the claim after affirming the creditability of the poster. RBS says the leaked data sets include email addresses, usernames, and bcrypt hashed passwords of 3,954,416 users.

RBS also revealed that the data leak contains email addressed belonging to many well-known organisations, including Microsoft, Accenture, Virgin Media, Target and AIG.

This development vastly increases the potential for attackers with access to this data to launch effective phishing campaigns.

ZDNet, a cybersecurity news site, says it has learned that the leaked data from Quidd has been ‘trading privately among high-level groups for months’, and that posts advertising the data have been circulating on various hacking forums and Pastebin since late last year.

The recent development represents the leak of the data into the public domain, which according to ZDNet occurred last month when a data trader posted a copy of the Quidd data on a publicly accessible hacker forum.

The data has since been spread countless times on many different forums, all but ensuring its proliferation across the internet.

Referring to RBS’s research indicating the passwords leaked were protected with a bcrypt hashing algorithm, ZDNet says this bodes well for victims of the breach as ‘reversing bcrypt-protected passwords into their plaintext format is considered incredibly difficult and a time and resource-consuming operation.’

ZDNet says that use of the bcrypt algorithm is also very likely the reason why the Quidd data has leaked on public hacking forums in the first place.

A data trader told ZDNet that bcrypt is not in high demand, as spam, malware, and online fraud groups are ordinarily more interested in data that contains cleartext passwords.

This is because it’s generally easier to breach and take over these accounts, thereby acquiring the opportunity to instigate their attack campaigns.

ZDNet has confirmed that hackers have now begun working on cracking the Quidd passwords, and that one individual is currently selling access to more than 135,000 cracked Quidd passwords.

HackerOne technical program manager Prash Somaiya says the Quidd incident indicates a need for organisations to co-ordinate with the hacking community.

“Having a cybersecurity strategy that engages with the wider hacking or researcher community can provide that extra layer of protection,” says Somaiya.

“Having a Vulnerability Disclosure Policy – a clear channel through which security researchers can report any issues - means that researchers like these can flag any potential issues before they feel they have no choice but to report publicly through the media.